Episode 425 — USB Device Tracking and PFsense

In this episode Peter Giannoulis joins us from TheAcademyPro.com. Chris Gerling is back in studio talking about USB Device Tracking. And Matt is building the new HakHouse firewall/router with PFsense. Plus a ton of haksnax to get your grub on.

Watch

Show Notes

USB Device Tracking

If you’ve ever used a USB storage device and wondered how stealthy you can be with them, you’re in for a scare. Windows XP logs pretty much everything you’d want to know about that USB key in the registry each time it’s plugged in and written to.

When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.

Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.

All of the numbers you find related to each device should be logged if you’re doing any sort of investigation or trying to track a device across computers.

If you’re trying to determine whether data was perhaps pilfered from your machine/network, you will want to look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses, where you will find the ParentID prefix and will be able to correlate to the device. You should also see the manufacturer name here. We are looking for the Last Write time which will help in determining whether data was pilfered by giving you a timeframe as to when someone last copied data to the device. In order to do this, you’re going to right click on the entry that has the ParentID prefix and manufacturer name for the device you want, and then click Export. Change the file extension to .txt and name it anything you want, remembering where you save the file. Upon opening this file up, you will find the last write time.

There are many applications for this data, and you’ll probably never be in the registry doing it quite this way, as there are many tools, both commercial and free that will simplify all of this. This data is also used in tools/services which help track your devices, such as iHound (ihoundsoftware.com), which helps you track devices if they’re stolen.

If you have any questions feel free to contact me here and visit my website. Many thanks to Harlan Carvey, author of the 2007 book Windows Forensic Analysis (I think I might’ve errantly said 2005, sorry) for without this book I wouldn’t have known as much as I do about the windows registry.

While our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.

I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.

Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.

Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).

Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”

Enabled in pfSense by default

Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.

Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.

This month, we are playing Left4Dead and Zombie Panic! Join us for our LAN Party on Saturday, February 28th at L4D.hak5.org or ZP.hak5.org for a good ol’ zombie apocalypse.

Trivia

Last week’s trivia was: “In PHP, which is faster and why? echo”Hello World”; or print(“Hello World”);?” Zoltan answered right with: “Echo is faster because it doesn’t set a return value and ‘print’ is a more complex function.” Zoltan wins a copy of Pronobozo’s CD ‘Zero=One=Everything’. You can check out more of Pronobozo’s music at his website.

If you want to win this week’s giveaway, enter the letters you see popping up during the episode into our trivia page and answer the trivia question in the first 24 hours from when this episode releases. We will choose a random winner out of the correct answers!

Have a segment suggestion, constructive feedback, or a snack idea for Kerby? Email your ideas to Feedback@hak5.org. Thank you!

Stickers

Don’t forget! We’ve got brand new sticker packs as thanks for your donations at Hak5.org/stickers. Without your help, we wouldn’t be HD right now.

Shmoocon

We will be at Shmoocon this weekend, February 6-8 in Washington DC. If you are in the area, join us for the annual podcaster’s meetup. Meet our cast and crew as well as lots of other great podcasters from PaulDotCom, Securabit, Sploitcast, Cyber Speak, Security Justice, and more! Get the info at Podcaster’s Meetup.com.

Survey

We’re conducting a survey to get some additional information about our viewer. We would love your feedback. If you have a few minutes to spare, please do us a favor and take the survey at the survey page.

For those of you who complete the survey, you will be treated to a sneak peek at a new show that Revision3 has been working on and get a back stage look at the pre-production of a Hak5 episode.

56 Comments

There was no place in the survey to discuss the show. I don’t like the new format. I miss Wess and Alli. I don’t particularly care for the grey-hat tilt that has developed over the last season, and there’s too many episodes now.

I don’t think I’ve watched a whole episode all season. I can’t even be bothered to download them anymore.

I personally liked season one through three the most so far because of the good dynamic and chemistry between Wess, Harrison, and Darren. That’s not to say the new version of the show is bad but its just too much like the screen savers and not quite like the original episodes which had a great underground feel to them.

I can understand what a lot of people are saying.
i still believe that,although you can’t please all,the majority of the people
that watch all of your shows,are people interested in tech related subjects

But seriously i came across HAK5 on youtube and since then its become quite an addiction i tried to seek help but there is no cure *Now to me thats a bonus ;)*

But to be honest its not just the quality of the show that makes it good, the HAK Crew are a great bunch and tie that in with the fantastic segments and well written show notes, well what can i say its probably the best IT related show i have ever watched.

The show evolves, the cast changes and season past will never be the same as season present. However chemistry develops, technology is dissected and laughs are had. The core of Hak5 is technolust and that remains throughout.

When presented with a situation of disband or press forward I’ll always beat the drum. This show is blessed with an enthused crew and a loyal and honest fan base.

We won’t please everyone all the time but as long as we put our passion in the show we’ll be happy with what we create and ultimately that’s what matters to me.

As always thank you for your continued feedback. Tell all your friends about Hak5 and stick around for ever enriched technolust.

Was glad to see a segment on pfSense as was gonna try it out as currently using Endian but not sure it’s doing what I want it to do. One thing Endian has pfSense doesn’t seem to is Endian using HTTPS for it’s login which pfSense doesn’t seem to. However, the segment was too short. You say you’ll be back with more indepth on it, but I’ve heard that said before that never happens (or I just missed the episodes with the follow ons).

But please, please, please, for the love of god, replace your table :o) it’s slight rocking is beginning to be a bit annoying. Get one that’s stronger and doesn’t move when you guys lean on it. I wait for the day it actually ends up tipping over :o)

Speaking towards the length of the episode, looking back the average episode length of season 2 and season 3 was approx 50 – 55 minutes.

Season 4 episodes are around 30 – 35 minutes

Regarding the lack of underground feel, while we understand we can’t be everything to everyone, I would argue that there’s a whole lot more technolust to go around being that we’re weekly, and we can give an overview of something on one episode, and dive deeper in the next. While we haven’t done this yet because of all of our conference coverage, this is something we’re actively looking at.

And as Darren said, so long as we convey our interest and passion in what we’re doing, I think that goes much further than trying to make what you see feel ‘underground’

Dude, what we’re doing *IS* underground. If you wanna see mainstream get off the Internet and turn on a television at 9 o’clock.

A bunch of friends geeking out about what matters to them in front of a few cheap cameras in their retrofitted living room with a hack-job HD mixer for 100 thousand like minded nerds on the Internet is far, far, FAR from mainstream.

These are the golden days of Internet television. Soak it up!

PS: February 18th marks the beginning of Hak5 Season 5. Check it out at http://is.gd/ixmY

I agree, I think the episodes are a bit short. But it’s ok where it is. Definitely don’t make it much shorter. Maybe the Squarespace propaganda is a bit long in the tooth already. If you want short, you can go find those crappy 1:45 exploit vids on YouTube. I look forward to the show improving; I’m optimistic. As far as Shannon’s bits, I think they’re fine. As far as Matt’s segment, I’m ambivalent. I don’t want to pick on Matt, that’s childish. Some people might like this PFsense segment. Personally, it’s kind of “yet another firewall configuration.” I think walk-throughs are great but this is pretty basic and not really much different from configuring any other firewall. But some people might like it. Also, did I hear a censor beep?

What’s the deal with the ending credit clip? Not that it surprises me; Matt, I hate to pick on a member of hak5, but why does it always seem like you’re trying to run the show? I could have sworn a little while back that you were only on the show because you were assisting in funding behind the scenes; it just seemed like you kept trying to use financial comments to end arguments – almost as if they were threats. And now this little blow-up at Darren wrapping the show?
Don’t get me wrong: I still enjoy your segments and your adding a slice of “enterprise” to the mix; it allows me to suggest Hak5 to people at work. But what drew me to this show in the first season (and kept me with it) is “one for all”, not “all for one”. I have no idea about the politics that go on behind the scenes and I’m most likely misguided in this drunken rant, but there’s still something that just feels wrong with the dynamic as of late.

As for Shannon: I think you’re doing a great job, and getting better with every segment as you get more confident and comfortable. I think a few commenting viewers forget that some of the other cast members have had 3 additional seasons to get acquainted with the camera. Keep it up =)

For those of you that didn’t know, the end credit scene was completely staged and fake. We had no idea that people weren’t going to get the joke, we’ll have to think a little bit more about how we approach some of our skits and such.

As far as the show being about me, I’m not really sure where you got that idea from, but this has and will always be a team effort. While it’s true we’re a little burned out, it’s not because there’s infighting, between the conferences, some changes in production, real-life, and a host of other things, we like everyone else gets a little run down. But after shmoocon, we’re pretty much finished with conferences until August, so that coupled with the new production equipment will make it so that we’ll have the time to develop great new content. Previously it used to take us 2 hours to setup, another 3 to shoot the show and another hour and a half to take down. With some recent refinements in our equipment usage, and preplanning, we’re down to about 30 minutes for setup, and 1.5 hours to shoot the show with about 20 minutes to take down. The simple fact that we no longer have to worry about sound, video, etc is a huge load off our shoulders.

Some have commented that they wish the show looked and felt more underground, while we can understand the human nature of resisting change, this is something that needed to happen. Without the advances in things like the set, the technology behind the show, and production processes improvements, it’s unlikely the show would still be going today.

The fact of the matter is, we love putting the work in to developing new content, and showcasing some of the things that we enjoy on a daily basis. While yes, pfSense is another firewall, how many people saw that segment and looked at their blue linksys router, and then at their old 400mhz Pentium II and got to work on installing pfSense on it and replacing it with the pfSense box? It’s this spark of curiosity and creativity that we hope to provide to people.

While a particular segment may not apply to you, can we really create a customized show for each of you? Of course not. Would we like to if we could? Sure, but we realize that not everyone is going to love what we do all the time, and we understand that. But sending feedback, and suggesting segments is a much better avenue than “this sucks and so do you” kind of comments.

As I sit here and write this in the podcasters lounge of Shmoocon, I’m truly humbled by the number of people who have come up to us and said that they enjoy the show, and are glad to have gotten the chance to meet us in person.

We’re not celebrities. We all have day jobs, we all work 40+ hours a week, and on top of that create a weekly IPTV show that people enjoy. We’re not superhuman, we’re just like you, and I personally wouldn’t have it any other way.

If you’ve stuck with this post for this long you deserve a medal of honor
Matt

I think the show is great. The ‘staged ending’ I assumed was real at the time and that it was put in because the cast saw the funny side afterwards!

Episodes I wish were longer, I could watch this kind of stuff all day but ofc I appreciate you have lives to live too.

Would love some more tech-y stuff in the show, ha(c)ks, forensics, etc. My one contribution off the top of my head as I am writing this for a segment idea (or multiple segments probably) is a “roll-your-own-linux-from-source” tutorial (not just some ubuntu (ARGHH!!) remaster). That would really interest me.

Shannon is awesome again, if she participated more than just “hak5 is brought to you by godaddy.com blah blah blah” and “this weeks lan party is quake3 etc etc”, im sure people would respect her as a part of hak5 more than I sometimes read in comments and the forum. rainbow tables segment, although seemed trivial to me, showed she can do it! bring her in more, even teamed up with darren/matt/etc would be good (are darren+shannon togther btw? offtopic I know, but I just get that feeling when they are together on the show)

Darren’s PHP makes me smile

Get a new table (like that other guy said)! that wobbling scares me too

Thats about all thats on my mind about the show at the moment, I filled in the survey, wish Id been warned that free preview was some random music show before I spent 2 hours downloading it yeah my internet speed sucks.

As always guys a great show. been a little late watching this episode got stuck in a field with no bandwidth for two weeks. in the car now streaming the vid as i drive home.
one thing i would like to see is a few more mods like the arcade cabinet and the guitar mod.

I have been watching Hak since the very first episode and I personally think that each season has and is getting better and better, same goes too for the cast, (Yay for the hot-tech chicks!!) Although I do miss Harrison and Wess.

I agree about the ‘underground’ feel that seasons 1-3 had but I like the direction it’s going in, and anyway what does that matter as long as content is good, which for the most part gets my vote!

I’m dying to watch the last 2 eps, now if only I can figure out what I’ve done to my Fedora sound garrrr….oh well it’s 3AM my technolust can wait till the morning.

I just discovered Hak.5 back in November, 2008, during Season 4 episodes. Don’t want to sound dramatic, or anything, but it was a turning point for me in my ambitions as an IT geek. I’ve been doing the whole NOC engineer, datacenter tech, PC tech thing as a job now for quite a while and have been getting a little bored with it of late. I have always been interesting in security engineering and hacking, and how the two interplay.

In comes Hak.5. You guys have presented information that has re-kindled my interest and passion for network and security engineering. The Jasager + FON stuff really sparked my interest and it’s just been a fun ride since then with lots of cool technolust.

I don’t really care to comment about who is on the show, or about the visual asthetics of the show, or how it feels, etc. I think it looks great, sounds great, and everybody that comes on camera does a fantastic job; some people are not as comfortable in front of a camera as others and that is cool.

Thanks for taking the time out of busy work and life schedules to provide a FREE IPTV show for those of us who are truly passionate about learning this stuff and geeking out with it on a daily basis.

Discover the best penis enlargement products, that reviews by best penis enlargement consumer review result to get the best penis enlargement products that really works. get the real penis enlargement truth at http://www.penis4enlargement.com

Hey I just stumbled across a site and thought u guys might want to check it out. There giving out free passes to awesome adult sites like bangbros, brazzers, and realitykings. Check it outhttp://www.adult-passes.blogspot.com

Penis enlargement by Naturalherbalz will improve every aspect of your life immensely. As long as you make use of all the resources available to your through this site, your visit here will not be in vain. We offer you the best penis enlargement methods you can attain on the market today at http://www.Naturalherbalz.com

Penis enlargement by Naturalherbalz will improve every aspect of your life immensely. As long as you make use of all the resources available to your through this site, your visit here will not be in vain. We offer you the best penis enlargement methods you can attain on the market today at http://www.Naturalherbalz.comPenis enlargement by Naturalherbalz will improve every aspect of your life immensely. As long as you make use of all the resources available to your through this site, your visit here will not be in vain. We offer you the best penis enlargement methods you can attain on the market today at http://www.Naturalherbalz.com

This is one of the best blog i have just seen, i am really feeling honor and pleasure that i am able to post my views here in this blog, a really appreciatable work done by webmaster of this blog. Going great man! keep it up. http://www.viagra-viagra.com

Treatment for Premature Ejaculation may involve sexual psychotherapy, counseling, medication, or a mixture of these methods. Getting sufficient exercise and sleep, and eating a healthy diet are also essential.